In search of the “Puppet Master”

Who is pulling the strings controlling that company? Financial institutions will face requirements in this area beginning this May.

One of my favorite quotes about the risks of beneficial ownership comes from the back cover of a 2001 Staff Paper of The International Bank for Reconstruction and Development/The World Bank.1 It reads:

“Corruption and other criminal assets, complex money trails, strings of shell companies and other legal persons and legal arrangements (such as foundations, trusts and trust-like arrangements). These form the complex web of subterfuge in financial crimes cases, behind which hides the beneficial owner—the puppet master and beneficiary of it all. “

Not knowing who that “puppet master” is exposes financial institutions to a number of risks, including:

• The inability to identify undesirable relationships, i.e., those parties a financial institution would not have accepted as customers because of their reputation and/or negative news had they directly sought to open an account with the institution.

• The failure to identify Politically Exposed Persons (PEPs) or other people in positions of power who may be controlling or investing in a legal entity.

• The inability to monitor transaction activity holistically if accounts with common beneficial owners are not linked.

Not all beneficial owners are bad, of course. But it is the identification of shady and otherwise high-risk beneficial owners that has been a longstanding concern of multinational bodies, including the Financial Action Task Force (FATF), the United Nations, and Transparency International.

This concern was also the impetus for FinCEN’s Customer Due Diligence Rule (CDD rule), the “fifth pillar” of an effective AML compliance program.2

Background of the rule

The FinCEN rule has been a long time coming. It was finalized on May 6, 2016, and published in the Federal Register five days later. This came a decade after the United States was criticized in a FATF Mutual Evaluation Report for deficiencies in its AML regime related to the identification of beneficial ownership. And this came four years after FinCEN’s Advanced Notice of Rulemaking on the topic.

Cynics might also note that the announcement of the final CDD rule came just one day after the now-infamous Panamanian law firm, Mossack Fonseca, sent a cease-and-desist letter to the International Consortium of Investigative Journalists in a failed attempt to stop the release of the Panama Papers.

That event served as a powerful reminder of how offshore companies could be used by beneficial owners.

Implementing rule’s beneficial ownership requirements

FinCEN gave covered financial institutions3 two years (until May 11, 2018) to prepare for the rule.

Many financial institutions had implemented their own beneficial ownership standards before the FinCEN rule was finalized. This suggests that the two-year implementation period should provide ample time for the industry to conform to the new requirements.

However, there is a difference between adhering to an institution’s own internal standards and ensuring compliance with a regulation.

For most institutions, this should have resulted in a reexamination of current practices and an assessment of readiness to meet the rule’s requirements.

Broadly speaking, we can group the beneficial ownership requirements of the rule into three categories:

1. Programmatic

2. Process

3. Technology/Data

Programmatic considerations

The FinCEN rule proactively imposes a two-prong approach for identifying beneficial owners of a legal entity (with some exceptions):4

1. Each individual, as many as four and as few as zero, who, directly or indirectly, owns 25% or more of the equity interests of a legal entity customer; and

2. A single individual with significant responsibility (e.g., a C-suite executive) to control the legal entity customer, even in cases where no individual meets the equity threshold.

Identification of beneficial owners must be current at the time of account opening and must be certified as accurate by an individual authorized by the customer to open accounts at the financial institution.

While there is no requirement to update beneficial ownership on a real-time basis, FinCEN’s rule sets forth an expectation that beneficial information will be refreshed when periodic customer reviews are performed.

The preamble to the final rule states:

“. . . that the 25 percent threshold is the baseline regulatory benchmark, but that financial institutions may establish a lower percentage threshold . . . based on their assessment of risk in appropriate circumstances.”

Many financial institutions that adopted beneficial ownership standards prior to the finalization of the FinCEN rule have been using a 10% equity ownership threshold. As tempting as it might be to raise that threshold to 25% now, institutions should carefully consider whether they can support and justify the increase to their regulators.

If 10% was the right threshold based on the institution’s own risk-based determination, what makes 25% the right threshold now?

Financial institutions must also remember that the FinCEN rule is not the only law or regulation that requires collection of beneficial ownership information. Other examples include the Foreign Account Tax Compliance Act (FATCA) and the Office of Foreign Assets Control 50% Rule.

In addition, financial institutions that operate multinationally also need to consider the beneficial ownership rules of host countries that may not be identical to the U.S. requirement. For example, while the 25% threshold is standard across many jurisdictions, information and/or verification requirements may differ.

For larger, more complex financial institutions, it may make sense to centralize the collection of all required beneficial ownership information to minimize the number of times a legal entity customer may be asked to provide this information.

Process considerations

Financial institutions should assess whether their customer due diligence/enhanced due diligence policies and procedures provide the guidance necessary for performing initial and ongoing due diligence on beneficial owners, particularly in the case of complex, multi-layered arrangements. In fact, financial institutions may want to set some expectations regarding the number of levels of beneficial ownership they find acceptable.

This leads me to share another of my favorite beneficial ownership quotes, this one from an executive at the Caribbean Development Bank:5

“Whenever more than three layers of legal persons and arrangements separate the end-user natural persons (substantive beneficial owners) from the immediate ownership or control of a bank account, the potential client has a high burden of proof to demonstrate the legitimacy and necessity of such a complex organization before the bank will consider establishing a relationship."

Other process considerations that need to be addressed prior to the effective date include changes to onboarding and ongoing CDD and enhanced due diligence forms and related guidance to ensure that beneficial ownership is captured.

In addition, another point to address is a determination of whether existing customer risk-rating methodologies adequately capture potential risks of beneficial ownership. Most customer risk methodologies would add points if a beneficial owner were identified as a PEP or were the subject of negative news.

A financial institution might also want to consider, for example, how its existing customer risk rating methodology accounts for beneficial ownership scenarios such as:

• A legal entity customer domiciled in the U.K., doing business throughout the E.U., with a beneficial owner in Russia.

• Multi-layered beneficial ownership relationships.

Technology/Data Considerations

Financial institutions should make systems changes, as necessary, to enable collection of beneficial ownership information and linkages of accounts with common beneficial owners for the purposes of currency transaction reporting and transaction monitoring. This may require using data analytics to identify such relationships.

Additionally, institutions need to ensure that they can screen beneficial owners against sanction lists. To the extent beneficial ownership information is not systematically captured today, that should be a priority.

Financial institutions that haven’t already addressed needed technology changes will be hard-pressed to make changes between now and the May effective date. As a result, they will need to explore manual workarounds for ensuring compliance.

Implementing other requirements of CDD rule

Although identification of beneficial owners is the driving force behind the FinCEN CDD rule, the rule does impose other CDD/EDD requirements, which are already industry-leading practices. These require covered financial institutions to implement and maintain risk-based procedures for conducting ongoing customer due diligence to include:

• Understanding the nature and purpose of the customer relationships; and

For some institutions, these requirements may necessitate changes to policies, procedures, and account opening forms to ensure that the institution is collecting sufficient information to develop a customer profile. Also, updates may be required to policies and procedures to identify the trigger events that would warrant updating of customer information.

Another important point: Covered financial institutions should ensure that affected employees are trained on all aspects of the FinCEN CDD rule and the institution’s policies and procedures for ensuring compliance.

Financial institutions will also want to monitor regulatory releases for additional compliance guidance. FinCEN has indicated it will issue another set of FAQs prior to the May 2018 effective date. In addition, the Federal Financial Institutions Examination Council is reportedly working on updates to its BSA/AML Examination Manual to incorporate the requirements of the CDD rule.

Identifying the puppet master has always been an underlying priority for financial institutions as part of their ongoing risk management efforts. Now, FinCEN’s CDD Rule is making it a requirement and covered financial institutions need to be ready to comply.

2.At the time this article was written, a technical conflict between Title 12 (authority for banking regulators to conduct AML reviews) and Title 31 (which codified the “fifth pillar”) made it unclear how regulators would cite violations of the FinCEN CDD rule.

Carol Beaumier is a Senior Managing Director in the Risk and Compliance practice at Protiviti. Prior to joining Protiviti, Carol was a Partner with Arthur Andersen where she led the Global Regulatory Practice; a founding member of The Secura Group and leader of the firm’s Risk Management practice; and a regulator with the Office of the Comptroller of the Currency.